I'm encountering the exact same issue as droidus. I can execute the scan, but all results in the console and in the report are showing as not applicable. Has anyone found a solution to this? I just downloaded the security content this morning and the CPE dictionary for rhel8 includes CentOS as fassl mentioned, but still every finding is not applicable.